The Bastion host template gives you an option to enable Multi-factor authentication (MFA). Once selected, the instance will use the open source Google Authenticator (Apache License 2.0) Pluggable Authentication Module (PAM) to enable MFA.
The CloudFormation template will install and configure the Google Authenticator PAM module on the instance. If enabled, this module will force operators using SSH to access the bastion host to provide a one-time use password generated by an application in addition to their username and a key.
The PAM module will be configured based on the values provided in the initialization command given in the template:
- Authentication tokens are time-based
- Disallows multiple uses of the same authentication token and restricts logins to about once every 30s
- Tokens are valid for 30 seconds
- In order to compensate for possible time-skew between the client and the server, allows an extra token before and after the current time
- Enables rate-limiting for the authentication module to no more than 3 login attempts every 30s
When an operator uses SSH to access the instance for the first time, the initialization app will run and add MFA to that user account. The app will output a URL that has a QR code which can be scanned in any one-time password (OTP) generator applications like Google Authenticator, Authy, etc. on the operator’s device to register the instance. It also generates a secret key, a verification code, and some recovery codes. You can either scan the barcode or manually enter the generated secret key in the application to register the instance. You must save the recovery codes in a secure place for use if you lose access to the application. Each recovery code, along with the username and the key, can be used once to SSH without the OTP code.
After the first log in attempt, next time when the operator tries to access instance, it will require the username, the SSH key and an OTP code generated in the OTP generator application on their devices.